Name Constraints, was Re: [caops-wg] Re: ca signing policy file

[Tony J. Genovese]

Here is some information on Name Constraint validation for Windows clients:

--------------- From Microsoft TechNet -------------------

Name constraint validation
A CA certificate can contain name constraints that are applied to all
certificate requests made to the CA. Each request is compared to the list of
permitted and excluded constraints to determine whether the certificate
should be considered permitted, not permitted, excluded, or not defined. 

Note
Name constraint validation can only be performed by Windows XP and Windows
Server 2003 clients. Name constraints are not evaluated by Windows 2000
clients. If you require that name constraints be applied, you can indicate
that the extensions are critical, which should result in the chain being
discarded by an application conforming to RFC 2459.
 
For example, a permitted constraint could allow all DNS names that end in
contoso.com. This would include DNS names such as contoso.com and
xcontoso.com. If you only wanted DNS names from the contoso.com DNS name
space, you could use the permitted constraint .contoso.com. This constraint
would permit x.contoso.com but exclude xcontoso.com. 

When name constraints are present in a CA certificate, the following rules
are applied to the subject name and alternate subject name entries. 

. If the name constraints extension exists in a CA certificate, all name
constraints should be present in the extension. Any name constraints that
are not included are considered wildcards that will match all possibilities.
For example, if the DNS name constraint were absent, the entry would be
treated as DNS=. 
 
. All name constraints will be considered. There is no precedence applied to
the listed name constraints. It is for this reason that name constraints
that are not present are treated as wildcards. 
 
. An excluded name constraint will take precedence over a permitted name
constraint 
 
. Name constraints are applied to the subject name extension and any
existing subject alternate name extensions. 
 
. Name constraints apply to all names contained in an end certificate. Each
name in the subject or subject alternate name extensions should match at
least one of the name constraints listed for that name type. A subject name
or subject alternate name that does not match a listed name type will be
rejected. Note that most client name spaces are not included in a CA
certificate and generally do not apply. 
 
. Name constraints are case-sensitive if the names are stored in ASCII or
Unicode format. 
 
Name restrictions must be enforced across the following alternative name
information entries in the subject name: Other Name (NT Principal Name
only); RFC 822 Name; DNS Name; URL; Directory Name, and IP address. 

When the certificate chain engine validates an end certificate for name
constraints, it will arrive at one of the following results: 

. Permitted The end certificate contains a name that is listed as permitted
in an issuer's name constraints extension. 
 
. Not permitted The end certificate contains a name that is not listed as
permitted in an issuer's name constraints extension. 
 
. Excluded The end certificate contains a name that is listed as excluded in
an issuer's name constraints extension 
 
. Not Defined The issuer certificate does not list a constraint for a
specific name type (such as Directory Name or IP Address)